1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for user authentication.
2. Description of the Background Art
User authentication becomes more critical as more remote online services are moved to the cloud. Currently, the most commonly used authentication process involves usernames and passwords. However, username and password-based user authentication does not provide sufficient security and is not user-friendly. Simple passwords could be easily cracked or guessed, while strong passwords are difficult to remember and input. Worse, some web servers even require multiple passwords for security reasons. Other authentication processes employ secondary factors, such as sending one-time-passwords via short message service (SMS) or a dedicated device that generates session-based passcodes. However, these secondary factors add extra steps that need to be performed by users, thereby negatively affecting the user experience, and may still not adequately address security issues. For example, malicious software, such as key loggers or malicious browser plug-ins, may be able to steal usernames, passwords, and other credentials when manually entered by the user. Furthermore, because usernames and passwords are easily copied and replicated, service providers are unable to tell with a good degree of certainty whether a person that presents these credentials is actually an authorized user.
User authentication may also be performed by using one device to logon to the online service on one communication channel and another device to present user credentials for authentication on another channel. For example, private keys and usernames may be stored at a smartphone, which sends the service provider a session identifier that is cryptographically signed using the private key. This presents a potential security risk because stolen or lost smartphones could be cracked to acquire private keys and usernames. Another concern is that this approach does not provide sufficient flexibility when a user has multiple accounts to an online service. Furthermore, it is normal for a user to have more than one smartphone. If private keys and usernames are stored in one smart phone, having a secondary backup device for identification becomes impossible.